Don't Send Your Association's Email Lists To Criminals

Date: February 26, 2015

On an almost daily basis, we hear about a high profile company falling victim to a cyber-attack.  While the news media has been replete with stories about high profile, for-profit businesses falling victim to computer hackers, nonprofit associations are now also a prime target for cyber criminals.  

No organization is immune from a cyber-attack, as the attacks are pervasive across all industries.  Nonprofit associations face considerable liability risks, especially if credit card, bank or a member’s personal information such as social security number or birth date is obtained by the cyber criminals.  Such risks include government and regulatory investigations and fines, and lawsuits seeking damages for invasion of privacy, misappropriation of confidential information, and a myriad of other issues.  In addition to legal risks, there are also financial and practical ramifications associated with business interruptions and trying to protect the nonprofit association’s brand, reputation, and donor relations. 

A cyber-attack can take many forms and can be used to access various kinds of organizational information.  For instance, in the well-known Target case, cyber criminals installed malware on Target’s computer system and then captured customer debit and credit card information.  However, in several recent cases involving nonprofit associations, cyber criminals utilized some very simple steps to gain unauthorized access to organizational data.  These attacks involved cyber criminals pretending to be someone with authority within the association or a trusted vendor, a practice called “spoofing.”  In these cases, the cyber criminals high jacked the email system and then used the system to send an email to targeted junior staff or an email vendor responsible for maintaining the association’s email lists.  The emails appeared to come from the CEO and, in fact, were sent from the CEO’s email account.  The emails instructed the junior staff member or vendor to forward specific member information to the CEO’s work email and a fraudulent email address identified as the CEO’s personal email account.   In each case, the staff or vendor complied with the request and unknowingly sent the email member list to a hacker

These types of attacks have a high success rate, primarily because they target specific staff members within an organization.  Often those staff members are junior staff members who do not feel comfortable questioning a request that comes from the CEO or senior management.   Fortunately, there are some very simple steps an organization can take to protect itself against such an attack.   From an Internet Technology perspective, the organization should ensure that there are systems and controls in place to screen suspicious URLs and IP addresses and block malicious materials.   Just as important, however, is implementing a company-wide training to educate staff members about such attacks, discussing with them the impact such an attack could have on the organization, and instructing them on how to handle suspicious emails or requests for organizational data.   Staff and vendors should be instructed to not transmit the association’s membership lists or other important data without first verifying the identity of the recipient.

All states now have very strict laws regarding security breaches and business organizations, including nonprofit associations, are required to design and implement a written information security plan (“WISP”) for safeguarding organizational data.  For this reason, associations should ensure they know the laws that apply to them and take all necessary steps, including developing a WISP, to protect their organizational data. 

Readers interested in learning more about the subject of this article or other cyber security issues affecting nonprofit organizations may contact Jeff Glassie at